Posted
by
Soulskill
on Saturday April 26, 2014 @12:42PM
from the su-casa-es-mi-casa dept.

New submitter sim2com writes: "An American judge has just added another reason why foreign (non-American) companies should avoid using American Internet service companies. The judge ruled that search warrants for customer email and other content must be turned over, even when that data is stored on servers in other countries. The ruling came out of a case in which U.S. law enforcement was demanding data from Microsoft's servers in Dublin, Ireland. Microsoft fought back, saying, 'A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees.'

If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."

I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

Then the company is going to have to choose which country's laws to break, and suffer the consequences. In the extreme case, this will result in companies deciding that it's not worth operating in particular sets of countries.

What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

Data is legally owned and controlled by somebody, and that's the one getting the subpoena. So as far as I know the law over here (IANAL) the answer is yes: the court that can claim jurisdiction can apply its laws and if they say they can order you to give up the data and decrypt it, then you have to.

In my (amateur) opinion, the only way Microsoft would have gotten out of this one is if they had sold the data to another company that would reside in Ireland and that would be legally independent. Say, "MicrosoftDataHolding Ireland". However, *that* company could be ordered by the Irish courts to turn over the data to the Irish government, independent of what Microsoft USA would want. They wouldn't even be part of the case.

Data is legally owned and controlled by somebody, and that's the one getting the subpoena.

Read it again. Even the/. summary covers it properly.

They did not get a subpoena, which would have forced Microsoft to turn
it over. The used a search warrant, which allows the (unspecified) government to swoop in and seize the servers. Located in Ireland. Using a US's renound paramilitary law enforcement. In Ireland. Seizing Irish equipment from an Irish branch of the company, used by Irish people and defended by an Irish police force.

The (unspecified) US government agency requested the ability (and the judge authorized) to enter the Irish facility and take the machines by force if necessary -- that is how search warrants work.

The fact that they even requested it is troubling. The fact that the agency was granted it is fairly terrifying. If this doesn't get taken down in an appeal, the article and summary are correct, it means the US government is basically declaring sovereignty over the world even more than before. This isn't Afghanistan or Iraq, but Ireland they would be using force against.

The actual articles says *nothing* about US agencies gaining physical access purely on the basis of a US warrant.

From the actual article:"A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said."

So the instrument really is more like a subpoena in that it forces action on the recipient, in this case to retrieve the data from the foreign location. It does not authorize any US official to seize the data from the foreign location without the involvement of the foreign authorities.

What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

To summarize: Is my data legally independent from me?

They would simply ask you nicely to produce the data within some period of time. Then if you didn't do it they'd just lock you up until you did.

In just about any country the court is only going to ask you nicely to do something once. So, think about that before you put data you might be asked to produce in a place where you might have trouble getting to it.

There's a big difference... since in your example, person C was actually *IN* country A while the law was being broken. In this case, the data servers reside in country B, and were never actually in A's jurisdiction.

It automatically breaks the law of the foreign country. It is after all a search warrant and if the country has similar laws requiring a search warrant then the foreign part of the company is protected by law of that country. In this case the simple answer is, the warrant is issued, then served locally, then the company forwards the request and the foreign part of the company then refuses citing local law at their location. So locally they adhered to the law in both locations, both nothing happens and stup

I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

What is an "American" company? MS Europe is incorporated in Ireland, has a datacentre in Ireland, and pays taxes in Ireland. The FBI should be approaching the Irish authorities for access to this data.

Or look at it another way: Is Sony USA an American company, or a Japanese company? If it's a Japanese company, that means that the Japanese have the right to all data stored on Sony USA servers.

Or let's take this further: let's say the government of China had reason to believe that Cisco China had an NSA backdoor in its products as they were being deployed in China, and so ordered Cisco USA to turn over all emails, technical specifications and documentation.

Rinse and repeat with pretty much any middle east country and Haliburton.

This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

If MS Europe is *really* independent, they can now turn down the request of MS USA for the data and the request will have to go through the Irish courts. But if they are *not* all that independent, and the data is not in fact controlled by them but by MS USA, then they can't interfere, MS USA will have to comply and I can just imagine what the tax authorities are going to do the morning after they produce the data: go after MS with a pretty big hammer.

Oh I agree, but that's usually why multinationals *do* have a real home. In case of Microsoft, it's the USA. So they're stuck with their laws. Their only solution is to give up control on part of their assets and split, but they'll fight tooth and nail to avoid that. So they're stuck. Or rather, they're not stuck - *we* are stuck. Because MS will just *shrug* and hand over the data, eventually.

This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

This is exactly what multinationals do. They love to have some weird, three-room office in an industrial park near the airport in someplace like Ireland that they can use as their tax headquarters to shelter a bunch of income from American taxes, but then keep t

This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

How is that a dangerous precedent for the US to set? As you just pointed out, they can say that they have a bigger army, and that is true. It would be a dangerous precedent for another country to set for sure.

In practice this is how most countries have operated since the dawn of time. They fully expect their citizens and corporations to collaborate with them in intelligence gathering against other nations, and they expect those same citizens and corporations to not collaborate with other nations in intel

I think the fact that it's an American company being ordered to produce the data factors in here.

Close, but wrong.

Being ordered to produce data is called a subpoena. That is the normal tool for producing emails and documents. A subpoena orders the company to find the documents meeting the criteria and produce them for the court.

A search warrant allows LEOs to enter the building, search for everything themselves, and seize anything that might appear to satisfy the warrant. So they would enter the server room and immediately seize any computer that looks like it might have the email on it.

The unnamed government agency got a warrant to seize a bunch of computers, and are acting under the guise that they are asking for specific information.

It is completely the wrong tool. It would be nice to think it was a simple mistake, picking the wrong tool to get information.... unless it is an agency looking to do far more than find some specific emails. Unfortunately it is probably the latter, given that everything is under seal and they are demanding to allow US federal agents into a non-US facility to seize servers.

So if I store a document in a vault provided by an American company in a foreign country, they must turn it over? Suppose the American company owns a building which they rent space in. Must they turn over documents stored there by third parties who are renting space?

Exactly. If this were an Irish company, located in Ireland, this wouldn't be an issue. It's no different than if the Court wanted access to your banking records in Switzerland. You're an American citizen, living in America, and sitting in an American courtroom, so they have the legal right to this information or money. If you refuse to comply, they can lock you up. If you're a Swiss citizen, living in Switzerland, and currently sitting somewhere in Europe, they have no power over you.

Well that's pretty hard to predict, so you just need to be prepared to abandon a company quickly if they are bought out by an American or multinational. It goes back to that "don't put all your eggs in one basket" axiom, plus the idea of being self-reliant when possible.

They don't hide their money, that is illegal. What they really do is use evey tax loophole they can to shift money around to the most favorable spot on he planet for tax purposes. They report every red cent to the US agencies, and use every trick they lobbied to put into the book to say "Neener neener its legal and you can;t have any."

It's been that way a lot longer than 20 years. The difference now is that instead of buying large yachts and other luxury items as business expenses that can be depreciated then resold as a capital gain later, other countries have lowered their tax rates so moving the funds around makes more sense.

But if you really want to blame a president, you can blame Clinton because all of this off shoring wasn't prevalent until he became president and enacted policies that globalized companies in the way we see them t

More likely than not, it is because no matter how nasty and illegal you want to think hiding those assets off shore in havens might be, there is a possibility that it is done legally even if not ethically.

Look at it this way, several years ago, I purchased a rehab home. I moved into it, rented the old home out which made it my primary residence. I then used a grant through the utility company paid for by the state in order to remove the old plaster and lath, install modern insulation, seal the walls and dry

Yes, there is no difference and there never was. The legal issue is if it is under your control. Even forming a foreign company doesn't help, if it is a wholly owned a subsidiary. You'd need a foreign partnership with other companies that you can't directly control, but that you still trust. And that is hard to come by at any price. So that game involves being able to control the company in reality, but not on paper. MS is probably too big to make that game work. And that works for random documents, but not

The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.

And what happens when Ireland, the UK, the EU etc pass laws which specifically prevent Microsoft et al from responding to such warrants when they are issued from countries where the data does not reside?

EU law already makes it illegal to pass "personal data" to any location which lacks the protections available in Europe. The so-called Safe Harbor provisions apply for te US situation, but everyone who understands the EU law knows that the Safe Harbor arrangements are just smoke and mirrors - they afford precisely no protection at all - they exist to enable EU companies to export data to the US while claiming they have complied wth the law.

That's precisely why Microsoft is opposing this order, not so much to avoid turning this particular data over, but because it may damage their European business. Microsoft has made a big marketing push in Europe trumpeting that their cloud products comply with EU data-protection laws, and this has been somewhat successful: several big companies and universities have signed up with Office 365 as their email/calendaring provider, in part because they were convinced that doing so is compatible with their oblig

Ah, but it's not Irish citizen's data - it's Microsoft's data about Irish citizens. Possession is 9/10ths of the law after all. I'd bet you good money that the EULA even says something to that effect down around page 29475.

The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.

Unless servers actually belong to a business entity registered in Ireland (Microsoft office there or whatever), which is subject to EU laws and regulations, not to US judge opinions and wisehs.

If server belongs to company registered in Ireland (regardless of who is the 'parent' company), they would likely be breaking EU laws and regulations if they would follow orders from US judge.

Do you have objections to Chinese judge ordering Huawei to disclose personal data of their US customers?

If you're debating about what you have "objections" to, that is a discussion better had on a thread about legislation. A thread about legal rulings hopefully centers around understanding what the law actually is right now, and potential differences of understanding on what that is.

Denmark recently sold its digital infrastructure (digital identities, national bank payments, etc) to a US company. The Danish government said there was nothing to worry about, because the servers would still be in Denmark. Thank you, USA, for proving the Danish government wrong.

I mean come on!This is reported on by Reuters, and they do not supply a link to the ruling itself. Which means they probably state the ruling all wrong and also leave out important details. In fact one detail I see at once is missing. Whose emails are these?

They could be Boris Putins,.or Kim Dotcoms, in which case I would have severe problems with the judges orders.Or they could be Dread Pirate Roberts, or even Microsofts operating emails stored in Dublin just to avoid having to turn them over in which case I would have no problems with the judges orders.

In any case please get us all the facts before putting up such a story.Is that really too much to ask?

The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime.

Why would I want to build an enforcement system when I don't know who's rules it will end up enforcing? Chinas? North Koreas? NSAs?

These days the public has a concept of what an American company is but i'm not so certain that the law shares the same concept. Corporations are multi-national these days and frankly the nature of multi national corporations sucks bilge water. Here is why: Going into WWII the Coca Cola company felt that they would take heat for producing product in Germany. So they created the Fanta line of sodas. That way they could still make money on all those lovely Nazi soldiers while keeping the public unawar

The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?

Any court that has personal jurisdiction over the corporation. Which is to say wherever the company is incorporated or resides. At a minimum the Federal and State court where the company is incorporated will have personal jurisdiction. There are no jurisdictional borders when it comes to corporations, ether the court has personal jurisdiction over the company or it doesn't, and if it does it can issue any warrant it wants on the corporation. The court can't send it's agents to another country to execute the

Any court that has personal jurisdiction over the corporation. Which is to say wherever the company is incorporated or resides.

Good news, everyone... Microsoft US, Inc. and Microsoft Ireland, Inc. are separate corporations with their own separate trustees/agents. The court might want to issue a search warrant for officers to visit Microsoft Ireland's premises and seize potential evidence, BUT only Microsoft US has a presence in the US, therefore, the court has no ability to hold Microsoft

Where the servers reside is simply not relevant because the corporation resides within the jurisdiction of the court, corporations are people and because a company is one legal entity the court has jurisdiction over all of the company, regardless of where it's assets are physically located. It's called personal jurisdiction and the ruling is correct, it will be upheld if appealed. If you don't want to be subject to american jurisdiction then don't incorporate in america, it's really that simple.

As far as I know, multinational companies are really a collection of separate companies, all incorporated in the countries they are physically located in and pay taxes in that country. It's the reason why much of Apple's income is held by foreign versions of Apple. Yes, they all report to the mothership, but that mothership doesn't have sovereignty or jurisdiction over it. I'd love for some Irish barrister to send a letter telling this Judge to go feck-off along with a subpoena the Judge's phone records bec

If the subsidiary is wholly-owned then the parent company does indeed control the information and has to produce it. The tax-game stuff is not a loophole created by lack of jurisdiction, it is loopholes created by the specific ways the tax laws are written to favor certain strategies.

A subsidiary company has a separate board of directors. It is the task of those directors to run the company in the interests of the shareholder, in accordance with local law. In this case, given that the company is subject to European Data Protection legislation, it would be for the local directors to refuse to obey the court order - and invite MS USA to sack them at an AGM. By the time the AGM comes along, there's a good chance that either the Irish courts will have got involved, or the US government will

And yes, French courts could issue any sort of ruling they want against French companies. If you're a French company and there is some French law about online language, you'd be well advised to obey it.

For EU companies it is now impossible to store user related or other sensitive data on servers or cloud nodes provided by US American companies. Data privacy regulations in the EU would prohibit the use of such infrastructure. Even though there is a "safe harbor" treaty.

It is data about a person, in many cases it is literally the documents, calls, emails, tweets, IMs of people to people. That clearly belongs to the persons themselves, not to some company that wrote an app used to interact with that data or the companies providing the pipes for it to travel across. So that it is an American company really has nothing to do with it if we see it from the logical point of view of who the data belongs to. If it belongs to a European then it is government by European law. P

They're not demanding from the countries. They're going after Microsoft, which happens to have offices in the US. Either way, those who believe should encrypt their mails. The rest can hide their secret messages in spam.

Microsoft, however, is subject to the jurisdiction of the U.S. Federal Court system, and when a Magistrate Judge orders them to produce something, they are compelled to produce it. It doesn't really matter where the something is. Basically the court is saying the search warrant can be executed like a subpoena.

From the linked article:A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said.

This pretty obviously needs to be a subpeona, a search warrant is from a law enforcement standpoint and that has zero use for data in a physical location outside the US. It's an attempt to end run around the system and it's far reaching and needs to be quashed immediately.

This pretty obviously needs to be a subpeona, a search warrant is from a law enforcement standpoint and that has zero use for data in a physical location outside the US. It's an attempt to end run around the system and it's far reaching and needs to be quashed immediately.

Except that the Microsoft servers in Ireland are owned by a different legal entity, Microsoft Ireland (or something), and not the US Microsoft.It works for taxes... so it must work for other government thingies, right?

The search warrant analogy is completely spurious. An American court cannot compel a search of a foreign property. But they can certainly compel an American company (or individual) to produce information owned by the company that happens to reside in a file folder in another country, or be liable for contempt of court.

In what appears to be the first court decision addressing the issue, U.S. Magistrate Judge James Francis in New York said Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies.

Emphasis mine. I read this to mean that if you use any US owned mail provider the FBI can subpoena anything they want through a US judge. That just seems horribly wrong and would put the world wide operation of any company at the mercy of the jurisdiction where they're headquartered. By this logic the NSA can get a subpoena to demand all US companies turn over any information they got anywhere in the world. You could never trust a foreign company to follow local laws. If this stands it's a horrible precedent.

Now you're getting it. Deal with an American company, you deal with American law, in addition to local law. If those conflict then it simply comes down to which law the company is least willing to break.

Consider, the opposite precedent is even worse - if Microsoft is allowed to hide it's records simply because it stored them overseas then *every* company (and private individuals as well) can reasonably be expected to do the same. Using the company as your private piggy bank? Keep the financial records o

That's a much better argument than the the one I was commenting on (made by MS lawyer), but hardly a trump card.

The FBI (or any other agency/court) can certainly argue for a subpoena for data given to a third party. Whether they ever actually get it or not is another story.

Party A hands Party B an envelope, and says "store this for me". Party B happens to store it in a foreign country. Said foreign country happens to have a law that requires people holding information fo

The FBI (or any other agency/court) can certainly argue for a subpoena for data given to a third party. Whether they ever actually get it or not is another story.

That is correct. They can use a subpoena for it.

A subpoena tells the organization to collect the documents and turn it over in a reasonable time frame.

But they are not using a subpoena. They are using a search warrant.

A search warrant allows LEOs to search the buildings and seize anything that looks like it might have the stuff in the warrant. As in, "These servers look like they might have email, remove them all from the building." A search warrant and a subpoena are radically different legal instrumen

A search warrant and a subpoena are radically different legal instruments.

This seems to be in the form, "they are different, therefore they are very different. They're so radically different they're not even exactly the same!"

If you have to stretch that far, it shows you're not confident in the level of difference. If it turns out that they're actually very similar, especially if the hypothetical subpoena is from a LEO, then the judge might reasonably weigh that difference against MS refusing to produce relevant information, and find that in the balance justice is better served b

As an American it seems pretty obvious that if I deal with an Irish company, that company could be forced to release information about me or held for me in response to orders from Irish courts.

I'm surprised people are surprised by this, and it raises the question; with a user id that low, have you made it your whole life without turning to page 2 for the rest of stories about legal disputes? Do you really not read the whole newspaper? How could you not know, and yet somehow be a "nerd" in this age of global

Microsoft does not own the information; they as a third party own the server on which someone else's information resides, a server which is held and taxed as a foreign asset outside US regional jurisdiction. It's one thing to compel Microsoft as a transnational company to produce one of their corporate records regardless of where they have stored it: agreeing to subject themselves to the US judicial system is part of incorporating in the US. It's entirely another when they are being told their foreign offices are actually territory of the US government and anyone or anything which resides there must submit to the pleasures of the US judicial system.

If I had written a letter in Britain and put it in a British safety deposit box I don't think the court would have the guts to demand it, even if the bank were jointly owned in the US. But scan that letter and store on the server and suddenly it's free game. Why? Because now it's easy to sneak the data out of the country without bothering the local authorities? Good news for people torrenting.

I suppose if you live in other countries you should doublecheck that any web companies you do business with do not also have a US presence because if they do any of your data could be subject to requisition by the US government even if it's data which has never left your country.

With apologies to various political hacks in the judiciary, corporations are not people...

Actually the U.S. Supreme Court did *not* say that corporations are people. What the court actually said is that *groups of people* have the same rights as individual people, and that the nature of that group -- corporation, labor union, activist group, etc -- does not matter.

I apologize of actually reading the court decision rather than relying on the characterization of it by the talking heads on TV.

The court is corrupt; their reasoning is often quite poor for educated, experienced and honorable judges. That is no more likely to be true than a Priest is safe around children; the title doesn't give them unquestionable character.

A group of people is entirely different than a legal corporation! I can't believe they'd do something so idiotic... while I expected the result, I found their justification embarrassingly flawed; I expected better BS.

Actually I'm pretty sure that if you were subpoenaed to deliver your tax documents or other records that were stored in your house in Ireland, you'd still be legally required to provide them. And it sounds like electronic search warrants are typically handled more like a subpoena than a traditional search warrant - i.e. the company provides the data rather than officers going in to seize it. So no, the US law enforcement has no jurisdiction to search the Ireland offices (without local cooperation), but Mi

The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?

There are myriad of such questions. But the answer is always the same, "whatever is in the best interests of the richer guy".

You are wrong. The richer guy is Microsoft in this case and the richer guy is being told to hand over his overseas data.

Nope. Microsoft may have a lot of money, but the guy they're up against here is the US Federal government, an entity with nearly $3 TRILLION per year in revenues (and $4 TRILLION per year in expenditure), clearly by far the "richer guy".

A subpoena is an order to produce a document (or to require a person to appear). This is the tool they would normally use to get an email or any other document. The LEOs do not get any access except to have the document produced.

A search warrant is an order allowing LEOs to immediately search everything they want, and then seize whatever they think satisfies the warrant.

Normally a subpoena is used to get an email. The company searches their databa

The Judge ordered the information, there's not much a LEO can do except comply; or appeal to a higher court. This could be considered a stalling tactic. As for the reference to the judge as a tool; now I see comedy.

The Judge ordered the information, there's not much a LEO can do except comply; or appeal to a higher court. This could be considered a stalling tactic. As for the reference to the judge as a tool; now I see comedy.

Yes, a judge can order the information for himself, but that isn't what happened. Almost always it is the LEOs demanding the warrants, and that is what happened here.

The LEOs go to the judge and say "we need a search warrant", or "we need a subpoena". The judge reviews the request and signs off.

In this case the officers requested a search warrant, which allows the seizure of equipment. They want to capture entire servers, make images of them, and then store the servers for the court.

The number of countries that had to change their own laws to permit their banks to previously-illegally hand over data to the IRS under that law is staggering. All because the US government included an enforcement clause allowing them to seize ("tax") essentially 30% of any foreign bank's US holdings if they withheld any data from the IRS.

And to think, this was all in aid of making sure US citizens with no remaining link to the US barring a passport continue to pay US taxes to a government that doesn't rep

I'm surprised any business risks having US presence with such a hostile government.

Businesses are in fact taking the second option: If they don't do business with US persons, they can mostly ignore FATCA. Try opening a stock market account as a US person in a foreign country - most financial institutions will probably refuse you.